In a post-COVID workplace, the concept of ‘Bring Your Own Device’ (BYOD) has gained significant traction. With the increasing adoption of remote work and flexible workplace policies, employees often use their personal devices to access company resources. However, this convenience comes with a suite of potential cyber risks, particularly for small to medium-sized businesses in the UK. This article aims to delve deep into the realm of BYOD, exploring its inherent cyber risks and offering practical strategies for mitigating them.
Unpacking BYOD: A Closer Look
BYOD refers to the practice of employees using their personal devices, such as smartphones, laptops, or tablets, for work-related tasks. These tasks can range from accessing emails and company files to using business applications and cloud services.
The growing popularity of BYOD is largely driven by its potential benefits. It can enhance employee productivity, offer significant cost savings, and boost talent retention by allowing employees the flexibility and convenience of working on devices they’re comfortable with.
However, these benefits are not without their share of cyber risks.
The Cyber Security Risks of BYOD
The incorporation of personal devices into the business environment inevitably opens the door to a variety of cyber threats. Here are some of the most common ones:
Device Infections
Personal devices are typically not as secure as those directly managed by an organisation’s IT department. Employees may download apps or visit websites that could potentially harbour malware, leading to device infection from dangerous malware such as information stealers, remote access trojans or lead to ransomware. This could then serve as a gateway for cyber attackers to access sensitive company data, hold it for ransom or release the data on the dark web.
Device Loss or Theft
Personal devices used for work contain valuable business information, making them attractive targets for thieves. Additionally, devices can accidentally be left behind in public spaces, making the data they contain vulnerable to unauthorised access. An unmanaged device cannot be wiped or have its content locked remotely by the business, which can present data loss issues in addition to the missing device.
Shadow IT
Shadow IT refers to the use of applications and services without the knowledge or approval of the IT department. With BYOD, the risk of shadow IT increases, as employees may use unsanctioned applications that could expose the company to data leaks and other security risks. Malware is often bundled with pirated or “cracked” software, meaning your business details may be at risk from a downloaded file that has no business use or relation.
Exposure of Sensitive Information
Personal devices may not have the same security features or settings as corporate devices, potentially leading to the unintentional exposure of sensitive company information. You also have no control over what information or data is on that device and what happens to it after the employee has changed roles or employer.
Disgruntled Employees
Disgruntled employees with access to company resources through their personal devices can pose a significant risk. They may intentionally leak sensitive data, cause disruptions, or commit other harmful acts. Understanding intentional or unintentional insider risk is paramount to ensuring a robust security culture in businesses of all sizes.
Unauthorised Access to Sensitive Data
With personal devices, there’s a higher risk of unauthorised access to sensitive data. This could occur if a device is shared with a friend or family member, or if it falls into the wrong hands.
The Impact on UK-Based Small Businesses
Small to medium-sized businesses in the UK are particularly vulnerable to these risks. According to a study conducted by Bitglass, about 74% of IT and security professionals allow employees to use their personal devices for work. However, almost half of these organisations don’t have a clear policy in place to manage them. This lack of oversight and control can leave businesses exposed to unnecessary risks.
Mitigating BYOD Cyber Risks: The Path Forward
While the risks associated with BYOD cannot be wholly eliminated, they can be significantly mitigated with the right strategies and tools. These include:
Implementing Clear BYOD Policies
A clear BYOD policy is essential for managing the risks associated with personal device use. This policy should outline the acceptable use of personal devices and provide guidance on security practices such as password protocols, approved apps, and procedures in the event of device loss or theft.
Using Multi-Factor Authentication (MFA)
MFA provides an additional layer of security by requiring users to provide two or more verification methods to gain access to a resource. This could be something they know (like a password), something they have (like a smartphone), or something they are (like a fingerprint).
Adopting User and Entity Behaviour Analytics (UEBA) and Data Loss Prevention (DLP) Tools
UEBA tools use machine learning algorithms to identify normal and abnormal user behaviour, thus helping detect potential security threats. On the other hand, DLP tools monitor and control endpoint activities, filter data streams on corporate networks, and provide protective actions to prevent data leaks.
Enabling Remote Wipe Capabilities
In case of device loss or theft, organisations should have the ability to wipe all company data from the device remotely. This can help prevent unauthorised access to sensitive information.
Providing Regular Training and Education
Regular training and education are crucial to ensure that employees understand the risks associated with BYOD and the steps they can take to mitigate them. This can include training on recognising and avoiding phishing attempts, using secure Wi-Fi networks, and safeguarding sensitive data.
Final Thoughts
BYOD is here to stay, and with the right approach, businesses can reap its benefits while minimising its risks. Adopting robust security practices, implementing clear policies, and leveraging advanced security tools can help businesses navigate the complex landscape of BYOD security.
Understanding the genuine risk of a cyber attack is the first step towards robust cyber security. To help small business owners take proactive steps in this regard, Perspective Intelligence is hosting a webinar on Thursday 29th February. The session will provide valuable insights into external data exposure and support the implementation of rigorous security practices.
Remember, in the world of cyber security, prevention is always better than cure. With a comprehensive understanding of BYOD risks and the right mitigation strategies in place, businesses can confidently embrace the flexibility and productivity benefits of BYOD without compromising their security.
Register for Our Webinar
On Thursday, 29th February, we are hosting a webinar to address some of the cybersecurity concerns within this article and some of the best practice guidance you can action today to help make your business more cyber secure. Registration for this webinar is completely free, and you can register via Eventbrite.
About Perspective Intelligence
Perspective Intelligence is a London, United Kingdom-based cyber intelligence specialist. We offer services across attack surface, cyber threat and open-source intelligence in addition to intelligence training services both in-person and online.
About Aaron Roberts
Aaron Roberts is an intelligence professional specialising in Cyber Threat Intelligence (CTI) and Open-Source Intelligence (OSINT). He is focused on building intelligence-led cyber capabilities in businesses of all sizes and conducting online investigations and research. Aaron’s prior experience includes the Military, small startups and global multi-nationals.
Aaron founded Perspective Intelligence in 2020, as he identified that UK-based small businesses can improve their underlying security posture using cyber intelligence. Aaron delivers training on behalf of Perspective Intelligence and is the author of the book Cyber Threat Intelligence: The No-Nonsense Guide for CISOs and Security Managers.